Berkedai

Privacy Policy

Last updated: 1 April 2026

1. Introduction

Welcome to Berkedai. This Privacy Policy explains how Berkedai Digital Enterprise ("Berkedai", "we", "us", or "our") collects, uses, stores, and discloses personal data when you use our platform at berkedai.com and its associated subdomains.

Berkedai is a multi-tenant e-commerce platform that enables merchants to create online storefronts and sell products to customers. This policy applies to all users of our platform, including merchants (sellers who create and operate storefronts) and customers (buyers who purchase from storefronts hosted on Berkedai).

By accessing or using Berkedai, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this policy, please discontinue use of our platform.

2. Data Controller Information

The data controller responsible for your personal data is:

  • Company name: Berkedai Digital Enterprise
  • Country of registration: Malaysia
  • Email: privacy@berkedai.com

As a data controller, Berkedai Digital Enterprise is registered and operates under Malaysian law, including the Personal Data Protection Act 2010 (PDPA). We are committed to processing personal data responsibly and transparently.

3. Personal Data We Collect

3.1 Merchant Data

When you register as a merchant and operate a storefront on Berkedai, we collect:

  • Full name and contact information (email address, phone number)
  • Business name, business type, and related business details
  • Bank account details (for settlement and withdrawal of sales proceeds)
  • Business address and registered address
  • Profile and storefront settings, including logos, banners, and product information you upload
  • Subscription and billing history related to your Berkedai plan

3.2 Customer Data

When you place an order through a storefront hosted on Berkedai, we collect:

  • Full name and email address
  • Phone number
  • Shipping and delivery address
  • Order details, including items purchased, quantities, and total amount
  • Order history and transaction references

Note: Payment card data is not collected or stored by Berkedai. All payment processing is handled directly by our payment partners (Stripe and BillPlz) under their own security standards and privacy policies.

3.3 Automatically Collected Data

When you interact with our platform, we may automatically collect:

  • IP address and approximate geographic location
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on the platform
  • Referral source and navigation patterns
  • Error logs and diagnostic data used to maintain platform stability

4. How We Use Personal Data

We use the personal data we collect for the following purposes, consistent with the Notice and Choice principle under the Malaysian PDPA:

  • Account management: To create, verify, and maintain merchant accounts on our platform.
  • Order processing: To facilitate the placement, fulfilment, and tracking of customer orders placed through merchant storefronts.
  • Payment processing: To initiate and verify payments for orders and merchant subscriptions, in coordination with our payment processors.
  • Shipping and delivery: To generate shipping labels and provide tracking information through our shipping integration (EasyParcel).
  • Merchant payouts: To process settlements and withdrawals to registered merchant bank accounts.
  • Communication: To send transactional emails such as order confirmations, shipping notifications, account alerts, and platform-related updates.
  • Customer support: To respond to enquiries, resolve disputes, and provide assistance to merchants and customers.
  • Platform improvement: To monitor and analyse platform performance, identify bugs, and improve the user experience.
  • Legal compliance: To comply with applicable Malaysian laws and regulations, including tax reporting and regulatory obligations.
  • Security: To detect, prevent, and respond to fraud, abuse, or unauthorised access to the platform.

We will not use your personal data for purposes incompatible with those described above without obtaining your prior consent.

5. Legal Basis for Processing

Under Section 6 of the Personal Data Protection Act 2010 (Malaysia), the processing of personal data must be based on one or more of the following grounds:

  • Consent: Where you have given us clear, informed consent to process your personal data for a specific purpose. You may withdraw your consent at any time by contacting us at privacy@berkedai.com.
  • Contractual necessity: Where processing is necessary to fulfil a contract you are a party to — for example, to process your order, deliver goods, or provide you with access to the Berkedai platform as a merchant.
  • Legal obligation: Where processing is required by Malaysian law or regulation, including obligations under the Income Tax Act 1967, Companies Act 2016, or orders from law enforcement authorities.
  • Legitimate interests: Where processing is necessary for purposes of our legitimate business interests (such as fraud prevention, platform security, and service improvement), provided that these interests are not overridden by your rights and freedoms.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to any third party. We only share your personal data with third parties where it is necessary to provide our services, comply with the law, or protect our rights. Below is a list of parties we may share data with and the reasons for doing so:

  • Payment processors (Stripe): We share transaction-related data with our payment partners to process payments for orders and subscriptions. These providers operate under their own privacy policies and security certifications (e.g., PCI DSS). Stripe is based in the United States; BillPlz is a Malaysian payment gateway.
  • Shipping provider (EasyParcel): Customer name, phone number, and shipping address are shared with EasyParcel to arrange and track deliveries. EasyParcel is a Malaysian logistics aggregator.
  • Cloud storage (Cloudflare R2): Merchant-uploaded assets such as product images, logos, and banners are stored on Cloudflare's R2 object storage. Cloudflare operates a global network; your assets may be served from servers outside Malaysia.
  • Email service (Mailgun): We use Mailgun to send transactional emails including order confirmations, account alerts, and platform notifications. Email addresses and related order data are shared with Mailgun for this purpose.
  • Error monitoring (Sentry): We use Sentry in our production environment to capture application errors and diagnose platform issues. We configure Sentry to minimise the capture of personally identifiable information; however, some technical context (such as anonymised session data) may be included in error reports.
  • Between merchants and customers: When a customer places an order through a merchant's storefront, the customer's order details (name, contact, shipping address) are made available to the relevant merchant for the purpose of fulfilling that order.
  • Law enforcement and regulatory bodies: We may disclose personal data to Malaysian law enforcement agencies, courts, or regulatory authorities where required by law, court order, or where we believe disclosure is necessary to protect the rights, property, or safety of Berkedai, our users, or the public.

7. Data Retention

We retain personal data only for as long as necessary for the purposes outlined in this policy, or as required by Malaysian law:

  • Active account data: Merchant and customer account data is retained for the duration of the account's active status. Merchants may request deletion of their account and associated data at any time.
  • Order records: Transaction and order records are retained for a minimum of seven (7) years in compliance with Malaysian tax and accounting requirements under the Income Tax Act 1967.
  • Closed accounts: Upon account closure or deletion request, personal data will be anonymised or deleted within a reasonable period, subject to any legal obligation to retain specific records.
  • Error logs and diagnostic data: Automatically collected technical data and error logs are typically retained for no more than 90 days.

8. Your Rights Under the PDPA

As a data subject under Malaysia's Personal Data Protection Act 2010, you have the following rights regarding your personal data:

  • Right to access: You have the right to request access to the personal data we hold about you. We will provide you with a copy of your data within a reasonable time upon receipt of a valid request.
  • Right to correct: You have the right to request correction of any inaccurate, incomplete, or outdated personal data we hold about you. Merchants may update most of their data directly through the seller dashboard settings.
  • Right to withdraw consent: Where we process your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
  • Right to prevent processing for direct marketing: You have the right to request that we cease processing your personal data for direct marketing purposes. Where applicable, you may also unsubscribe from marketing communications using the unsubscribe link in any marketing email.
  • Right to limit processing: In certain circumstances, you may request that we restrict the processing of your personal data, for example, while we verify the accuracy of data you have disputed.

To exercise any of these rights, please contact us at privacy@berkedai.com with your name, contact details, and a clear description of your request. We may request proof of identity before processing your request. We will respond within 21 calendar days of receiving a verified request.

9. Cookies and Tracking

Berkedai uses cookies and similar technologies to operate the platform, maintain session state, and remember your preferences. We do not use third-party advertising cookies or cross-site tracking technologies.

  • Authentication cookies (httpOnly): These cookies are set when you log in and are used to maintain your authenticated session. They are marked as httpOnly, meaning they cannot be accessed by client-side JavaScript. These cookies are essential for the platform to function and cannot be disabled.
  • Preference and state cookies: We use cookies to persist your application state, such as cart contents and storefront preferences. These are stored using Pinia state management and cleared when no longer needed.
  • CSRF protection tokens: We use CSRF tokens to protect against cross-site request forgery attacks. These are session-based and not used for tracking.

We do not use cookies for advertising, remarketing, or tracking your activity across third-party websites.

10. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • Encryption of data in transit using TLS/HTTPS across all platform endpoints
  • Secure storage of sensitive credentials using environment-level configuration, not in source code
  • Strict access controls limiting internal access to personal data on a need-to-know basis
  • Use of PCI DSS-compliant payment processors so that payment card data is never handled or stored by Berkedai
  • Regular monitoring of platform security and error tracking in production

While we take reasonable precautions to safeguard your data, no method of transmission or storage over the internet is completely secure. In the unlikely event of a data breach that affects your rights and interests, we will notify affected parties in accordance with our obligations under Malaysian law.

11. International Data Transfers

Berkedai Digital Enterprise is based in Malaysia and our primary data processing occurs within Malaysia. However, some of the third-party service providers we use operate internationally. As a result, your personal data may be transferred to and processed in countries outside Malaysia, including:

  • Stripe — headquartered in the United States, processes payment data under US and EU data protection frameworks
  • Cloudflare — a global network operator; your uploaded assets may be cached or served from servers located outside Malaysia
  • Mailgun — email delivery infrastructure operating from the United States and European Union
  • Sentry — error tracking infrastructure hosted in the United States

Where such transfers occur, we take steps to ensure that appropriate safeguards are in place in accordance with the requirements of Malaysia's PDPA and, where applicable, the data protection laws of the destination country.

12. Children's Privacy

Berkedai is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. By registering as a merchant or placing an order as a customer, you represent that you are at least 18 years of age.

If we become aware that we have inadvertently collected personal data from a person under the age of 18, we will take steps to delete that data promptly. If you believe we may have collected data from a minor, please contact us at privacy@berkedai.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify affected users by email or through a notice on the platform.

Your continued use of Berkedai following the posting of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact our data protection team:

  • Company: Berkedai Digital Enterprise
  • Email: privacy@berkedai.com
  • Country: Malaysia

We aim to respond to all data protection enquiries within 21 calendar days. If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Department of Malaysia (Jabatan Perlindungan Data Peribadi) at www.pdp.gov.my.